Re: ipchains portforwarding for https

To: debian-firewall@lists.debian.org
Subject: Re: ipchains portforwarding for https
From: Vineet Kumar <vineet@doorstop.net>
Date: Mon, 20 Oct 2003 15:28:02 -0700
Message-id: <[🔎] 20031020222802.GB13682@doorstop.net>
Mail-followup-to: debian-firewall@lists.debian.org
In-reply-to: <[🔎] 3F94344F.6060502@tower-net.de>
References: <[🔎] 3F94344F.6060502@tower-net.de>

* Markus Kolb (debian@tower-net.de) [031020 12:47]:
> Hello,
> 
> how can I setup a forwarding rule with ipchains that a connect to host A 
> is redirected to the Apache-SSL webserver listening on host B.
> 
> I want to have a transparent forwarding. The user should enter the 
> address from host A in his browser and the webserver from host B should 
> answer the requests.
> 
> The webserver on host B is listening to all addresses at the specific 
> port 423.
> 
> So at the moment I try with
> 	ipmasqadm autofw -A -v -r tcp 423 423 -h "${IP from host B}"
> on host A.
> 
> If I try to connect https://IP_host_A:423/ I get a connection timeout.
> 
> I've just dumped the traffic with ethereal.
> First there is an ICMP Redirect.
> The browser sends a SYN request to the right host B from port 2090 to 423.
> Host B answers with a SYN ACK to browser host from 423 to 2090.
> After this browser sends a reset from 2090 to 423 at host B.

It sounds like you're trying to do this on a host which is not a router
between the browser host and host B.

This type of setup will only work if host A can rewrite addresses in the
packets in both directions.  This means the returning packets from host
B to the browser must pass through host A so that they can be rewritten
with host A as the source address.  As far as browser is concerned, it's
trying to set up a connection to Host A, which is not responding.  Host
B is sending it a SYNACK, but it doesn't care about Host B -- it never
sent a SYN to host B.  So it sends B a RST, same as it would for any
other host sending it a random SYNACK that it knows nothing about.

It sounds like you might have to re-route your network a little bit.  It
would probably be easier to forget the NAT and just try something like
redir (a socket redirector) instead.

good times,
Vineet
-- 
http://www.doorstop.net/
-- 
"Great spirits have always found violent opposition from mediocre minds. The
latter cannot understand it when a man does not thoughtlessly submit to
hereditary prejudices but honestly and courageously uses his intelligence."
-- Albert Einstein

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: ipchains portforwarding for https
  - From: Markus Kolb <debian@tower-net.de>

References:
- ipchains portforwarding for https
  - From: Markus Kolb <debian@tower-net.de>

Prev by Date: Re: OT: Re: Thanks!
Next by Date: Re: ipchains portforwarding for https
Previous by thread: ipchains portforwarding for https
Next by thread: Re: ipchains portforwarding for https
Index(es):
- Date
- Thread